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Abstract 

We  present  a  new  approach  to  unbounded,  fully  symbolic  model  checking  of  timed  automata  that 
is  based  on  an  efficient  translation  of  quantified  separation  logic  to  quantified  Boolean  logic.  Our 
technique  preserves  the  interpretation  of  clocks  over  the  reals  and  can  check  any  property  expressed 
in  the  timed  /x  calculus.  The  core  operations  of  eliminating  quantifiers  over  real  variables  and 
deciding  separation  logic  are  respectively  translated  to  eliminating  quantifiers  on  Boolean  variables 
and  checking  Boolean  satisfiability  (SAT).  We  can  thus  leverage  well-known  techniques  for  Boolean 
formulas,  including  Binary  Decision  Diagrams  (BDDs)  and  recent  advances  in  SAT  and  SAT-based 
quantifier  elimination.  We  present  preliminary  empirical  results  for  a  BDD-based  implementation 
of  our  method. 
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1  Introduction 


Timed  automata  [2]  have  proved  to  be  a  useful  formalism  for  modeling  real-time  systems.  A  timed 
automaton  is  a  generalization  of  a  finite  automaton  with  a  set  of  real- valued  clock  variables.  The 
state  space  of  a  timed  automaton  thus  has  a  finite  component  (over  Boolean  state  variables)  and  an 
infinite  component  (over  clock  variables).  Several  model  checking  techniques  for  timed  automata 
have  been  proposed  over  the  past  decade.  These  can  be  classified,  on  the  one  hand,  as  being 
either  symbolic  or  fully  symbolic,  and  on  the  other,  as  being  bounded  or  unbounded.  Symbolic 
techniques  use  a  symbolic  representation  for  the  infinite  component  of  the  state  space,  and  either 
symbolic  or  explicit  representations  for  the  finite  component.  In  contrast,  fully  symbolic  methods 
employ  a  single  symbolic  representation  for  both  finite  and  infinite  components  of  the  state  space. 
Bounded  model  checking  techniques  work  by  unfolding  the  transition  relation  d  times,  finding 
counterexamples  of  length  up  to  d,  if  they  exist.  As  in  the  untimed  case,  these  methods  suffer 
from  the  limitation  that,  unless  a  bound  on  the  length  of  counterexamples  is  known,  they  cannot 
verify  the  property  of  interest.  Unbounded  methods,  on  the  other  hand,  can  produce  a  guarantee 
of  correctness. 

The  theoretical  foundation  for  unbounded,  fully  symbolic  model  checking  of  timed  automata 
was  laid  by  Henzinger  et  al.  [11].  The  characteristic  function  of  a  set  of  states  is  a  formula  in 
separation  logic,  a  quantifier-free  fragment  of  first-order  logic.  Formulas  in  Separation  Logic  (SL) 
are  Boolean  combinations  of  Boolean  variables  and  predicates  of  the  form  Xi  [xi  Xj  +  c  where 
COG  {>,>},  Xi  and  Xj  are  real-valued  variables,  and  c  is  a  constant.  Quantified  Separation  Logic 
(QSL)  is  an  extension  of  SL  with  quantifiers  over  real  and  Boolean  variables.  The  most  important 
model  checking  operations  involve  deciding  SL  formulas  and  eliminating  quantifiers  on  real  variables 
from  QSL  formulas. 

In  this  paper,  we  present  the  first  approach  to  unbounded,  fully  symbolic  model  checking  of 
timed  automata  that  is  based  on  a  Boolean  encoding  of  SL  formulas  and  that  preserves  the  in¬ 
terpretation  of  clocks  over  the  reals.  Unlike  many  other  fully  symbolic  techniques,  our  method 
can  be  used  to  model  check  any  property  in  the  timed  /x  calculus  or  Timed  Computation  Tree 
Logic  (TCTL)  [3].  The  main  theoretical  contribution  of  this  paper  is  a  new  technique  for  trans¬ 
forming  the  problem  of  eliminating  quantifiers  on  real  variables  to  one  of  eliminating  quantifiers 
on  Boolean  variables.  In  some  cases,  we  can  avoid  introducing  Boolean  quantification  altogether. 
These  techniques,  in  conjunction  with  previous  work  on  deciding  SL  formulas  via  a  translation 
to  Boolean  satisfiability  (SAT)  [17],  allow  us  to  leverage  well-known  techniques  for  manipulating 
quantified  Boolean  formulas,  including  Binary  Decision  Diagrams  (BDDs)  and  recent  work  on  SAT 
and  SAT-based  quantifier  elimination  [13]. 

Related  Work.  The  work  that  is  most  closely  related  to  ours  is  the  approach  based  on 
representing  SL  formulas  using  Difference  Decision  Diagrams  (DDDs)  [14].  A  DDD  is  a  BDD-like 
data  structure,  where  the  node  labels  are  generalized  to  be  separation  predicates  rather  than  just 
Boolean  variables,  with  the  ordering  of  predicates  induced  by  an  ordering  of  clock  variables.  This 
predicate  ordering  permits  the  use  of  local  reduction  operations,  such  as  eliminating  inconsistent 
combinations  of  two  predicates  that  involve  the  same  pair  of  clock  variables.  Deciding  a  SL  formula 
represented  as  a  DDD  is  done  by  eliminating  all  inconsistent  paths  in  the  DDD.  This  is  done  by 
enumerating  all  paths  in  the  DDD  and  checking  the  satisfiability  of  the  conjunction  of  predicates 
on  each  path  using  a  constraint  solver  based  on  the  Bellman-Ford  shortest  path  algorithm.  Note 
that  each  path  can  be  viewed  as  a  disjunct  in  the  Disjunctive  Normal  Form  (DNF)  representation 
of  the  DDD,  and  in  the  worst  case  there  can  be  exponentially  many  calls  to  the  constraint  solver. 
Quantifier  elimination  is  performed  by  the  Fourier-Motzkin  technique  [10],  which  also  requires 
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enumerating  all  possible  paths.  In  contrast,  our  Boolean  encoding  method  is  general  in  that  any 
representation  of  Boolean  functions  may  be  used.  Our  decision  procedure  and  quantifier  elimination 
scheme  use  a  direct  translation  to  SAT  and  Boolean  quantification,  respectively,  avoiding  the  need 
to  explicitly  enumerate  each  DNF  term.  In  theory,  the  use  of  DDDs  permits  unbounded,  fully 
symbolic  model  checking  of  TCTL;  however,  the  DDD-based  model  checker  [14]  can  only  check 
reachability  properties  (these  can  express  safety  and  bounded-liveness  properties  [1]). 

Uppaal2k  and  Kronos  are  unbounded,  symbolic  model  checkers  that  explicitly  enumerate 
the  discrete  component  of  the  state  space.  Kronos  uses  Difference  Bound  Matrices  (DBMs)  as 
the  symbolic  representation  [19]  of  the  infinite  component.  Uppaal2k  uses,  in  addition.  Clock 
Difference  Diagrams  (CDDs)  to  symbolically  represent  unions  of  convex  clock  regions  [6].  In  a 
CDD,  a  node  is  labeled  by  the  difference  of  a  pair  of  clock  variables,  and  each  outgoing  edge 
from  a  node  is  labeled  with  an  interval  bounding  that  difference.  Note  that  while  Kronos  can 
check  arbitrary  TCTL  formulas,  Uppaal2k  is  limited  to  checking  reachability  properties  and  very 
restricted  liveness  properties  such  as  AFp. 

Red  is  an  unbounded,  fully  symbolic  model  checker  based  on  a  data  structure  called  the  Clock 
Restriction  Diagram  (CRD)  [18].  The  CRD  is  similar  to  a  CDD,  labeling  each  node  with  the 
difference  between  two  clock  variables.  However,  each  outgoing  edge  from  a  node  is  labeled  with  an 
upper  bound,  instead  of  an  interval.  Red  represents  separation  formulas  by  a  combined  BDD-CRD 
structure,  and  can  model  check  TCTL  formulas. 

A  fully  symbolic  version  of  Kronos  using  BDDs  has  been  developed  by  interpreting  clock 
variables  over  integers  [8];  however,  this  approach  is  restricted  to  checking  reachability  for  the 
subclass  of  closed  timed  automata^,  and  the  encoding  blows  up  with  the  size  of  the  integer  constants. 
Rabbit  [7]  is  a  tool  based  on  this  approach  that  additionally  exploits  compositional  methods  to  find 
good  BDD  variable  orderings.  In  comparison,  our  technique  applies  to  all  timed  automata  and  its 
efficiency  is  far  less  sensitive  to  the  size  of  constants.  Also,  the  variable  ordering  methods  used  in 
Rabbit  could  be  used  in  a  BDD-based  implementation  of  our  technique. 

Many  fully  symbolic,  but  bounded  model  checking  methods  based  on  SAT  have  been  developed 
recently  (e.g.,  [5,  15]).  These  algorithms  cannot  be  directly  extended  to  perform  unbounded  model 
checking. 

The  rest  of  the  paper  is  organized  as  follows.  We  define  notation  and  present  background 
material  in  Sections  2  and  3.  We  describe  our  new  contributions  in  Sections  4  and  5.  We  conclude 
in  Section  6  with  experimental  results  and  ongoing  work. 

2  Background 

We  begin  with  a  brief  presentation  of  background  material,  based  on  papers  by  Alur  [2]  and 
Henzinger  et  al.  [11].  We  refer  the  reader  to  these  papers  for  details. 

2.1  Separation  Logic 

Separation  logic  (SL),  also  known  as  difference  logic,  is  a  quantifier-free  fragment  of  first-order 
logic.  A  formula  f  in  separation  logic  is  a  Boolean  combination  of  Boolean  variables  and  separation 
predicates  (also  known  as  difference  bound  constraints)  involving  real- valued  variables,  as  given  by 
the  following  grammar: 


<j)  ::=  true  |  false  |  b  \  -i(j)  \  (/>  /\  (f  \  ^  +  e  \  Xi  >  Xj  +  c 

^Clock  constraints  in  a  closed  timed  automaton  do  not  contain  strict  ineqnalities. 
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We  use  a  special  variable  xq  to  denote  the  constant  0;  this  allows  us  to  express  bounds  of  the  form 
X  >  c.  We  will  however  use  both  x  \xi  c  and  x  cxi  xq  +  c,  where  IXG  {>,  >},  as  suits  the  context. 
We  will  denote  Boolean  variables  by  6,  6i,  62;  •  •  •  >  real  variables  by  x,  xi,  X2,  •  •  • ,  and  SL  formulas  by 
(f>,(j)i,4>2,  ■  ■  ■  ■  Note  that  the  relations  >  and  >  suffice  to  represent  equalities  and  other  inequalities. 

Characteristic  functions  of  sets  of  states  of  timed  automata  are  SL  formulas.  Deciding  the 
satisfiability  of  a  SL  formula  is  NP-complete  [11]. 

Quantified  Separation  Logic.  Separation  logic  can  be  generalized  by  the  addition  of  quan¬ 
tifiers  over  both  Boolean  and  real  variables.  This  yields  quantified  separation  logie  (QSL).  The 
satisfiability  problem  for  QSL  is  PSPACE-complete  [12].  We  will  denote  QSL  formulas  by  cu,  wi, . . . . 

2.2  Timed  Automata 

A  timed  automaton  T  is  a  tuple  {C,  Cq,  S,  X,Z,  S),  where  £  is  a  finite  set  of  locations,  £0  ^  is  a 
finite  set  of  initial  locations,  S  is  a  finite  set  of  labels  used  for  product  construction,  A  is  a  finite 
set  of  non-negative  real- valued  clock  variables,  X  is  a  function  mapping  a  location  to  a  SL  formula 
(called  a  loeation  invariant)^  and  £  is  the  transition  relation,  a  subset  of£x'Lx7^xSx£,  where 
'L  is  a  set  of  SL  formulas  that  form  enabling  guard  conditions  for  each  transition,  and  TZ  is  a  set  of 
eloek  reset  assignments.  A  location  invariant  is  the  condition  under  which  the  system  can  stay  in 
that  location.  A  clock  reset  assignment  is  of  the  form  x*  :=  xq  +  c  or  Xj  :=  Xj,  where  Xi,Xj  G  A 
and  c  is  an  integer  constant,^  and  indicates  that  the  clock  variable  on  the  left-hand  side  of  the 
assignment  is  reset  to  the  value  of  the  expression  on  the  right-hand  side.  We  will  denote  guards  by 

Ip, 'fix,.... 

Two  timed  automata  are  composed  by  synchronizing  over  common  labels.  We  refer  the  reader 
to  Alur’s  paper  [2]  for  a  formal  definition  of  product  construction.  Note  that  in  contrast  to  the 
definition  of  timed  automata  given  by  Alur  [2],  we  allow  location  invariants  and  guards  to  be 
arbitrary  SL  formulas,  rather  than  simply  conjunctions  over  separation  predicates  involving  clock 
variables. 

The  invariant  Ir  for  the  timed  automaton  X  is  defined  as  Ir  =  ^(01) 

where  enc{l)  denotes  the  Boolean  encoding  of  location  1.  We  will  also  denote  a  transition  t  G  £ 
as  V’  A,  where  V’  is  a  guard  condition  over  both  Boolean  state  variables  (used  to  encode 

locations)  and  clock  variables  of  the  system,  and  A  is  a  set  of  assignments  to  clock  and  Boolean 
state  variables. 

2.3  Timed  /i  Calculus  and  TCTL 

We  express  properties  of  timed  automata  in  a  generalization  of  the  p,  calculus  called  the  timed  p, 
(T/r)  calculus.  A  formula  ip  of  the  Tp  calculus  is  generated  by  the  following  grammar: 

p  ::=  A  I  <;/)  I  |  (pi  V  i^2  |  V’l  >  ^52  |  z.ip  \  gX.ip  \  vX.p 

z  is  a  speeifieation  eloek  variable  (i.e.,  z  0  A)  and  A  is  a  formula  variable  used  in  fixpoint 
computation.  The  formula  ipi  >  <p2  means  that  the  formula  (pi  is  true  at  the  present  state,  and 
remains  true  (as  time  elapses)  until  some  transition  is  taken,  at  which  time  formula  <p2  becomes 
true;  thus  “i>”  is  essentially  a  next-state  operator.  The  formula  z.<p  is  true  in  a  state  where  <p  is  true 
after  setting  specification  clock  variable  z  to  zero.  The  expression  pX.p>  stands  for  the  least  fixpoint 
of  ip,  where  A  is  a  formula  variable  bound  inside  p]  v  denotes  the  greatest  fixpoint  operator. 

Henzinger  et  al.  [11]  show  that  the  T^u  calculus  can  express  the  dense-real-time  version  of 
Computation  Tree  Logic  (CTL),  Timed  CTL  (TCTL)  [3].  TCTL  generalizes  CTL  by  allowing 

^The  assignment  Xi  :=  c  is  represented  as  Xi  :=  xo  +  c.  Wherever  we  use  Xi  to  denote  a  clock  variable,  i  >  0. 
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atomic  propositions  to  be  any  SL  formula,  and  in  addition  contains  formulas  of  the  form  z.ip  where 
z  is  a  specification  clock  variable  and  is  a  TCTL  formula  in  which  z  appears  free;  the  latter  class 
enables  one  to  write  time-bounded  properties.  We  omit  the  details  for  brevity. 

Several  model  checkers  are  specialized  to  check  reachability  properties.  Using  the  notation  of 
the  Tfi  calculus,  a  reachability  property  is  a  formula  of  the  form 

4^init  '\4^err  V  (true  t>  ^)] 

where  (l)init  is  the  initial  set  of  states,  and  (f>err  characterizes  the  bad  states;  the  formula  evaluates 
to  true  if  no  error  state  is  reachable  from  any  initial  state. 

3  Fully  Symbolic  Model  Checking 

We  use  a  model  checking  algorithm  given  by  Henzinger  et  al.  [11].  This  algorithm  checks  that 
a  timed  automaton  T  satisfies  a  specification  given  as  a  formula  (p.  The  algorithm  always 
terminates,  and  generates  a  SL  formula  \(p\,  such  that,  if  T  is  non-zeno  (i.e.,  time  can  diverge  from 
any  state),  then  \(p\  is  equivalent  to  Xr- 

The  algorithm  is  fully  symbolic  since  it  avoids  the  need  to  enumerate  locations  by  representing 
sets  of  values  of  both  Boolean  state  variables  and  clock  variables  as  SL  formulas.  It  performs 
backward  exploration  of  the  state  space  and  uses  the  following  three  special  operators  over  SL 
formulas: 

1.  Time  Elapse:  (/>2  denotes  the  set  of  all  states  that  can  reach  the  state  set  (j)2  by 

allowing  time  to  elapse,  while  staying  in  state  set  (pi  at  all  times  in  between.  Formally, 

<pi  p2  =  >  xo  A  (^2  +  <5  A  Ve[xo  <  e  <  S  (pi  +  e]}  (1) 

where  (p  +  5  denotes  the  formula  obtained  by  adding  6  to  all  clock  variables  occurring  in  p, 
computed  as  p[xi  -|-  5/xi,  1  <  i  <  n],  where  xi,X2, ...  ,Xn  are  the  clock  variables  in  pi  (i.e., 
not  including  the  zero  variable  xq). 

2.  Assignment:  p[A\,  where  A  is  a  set  of  assignments,  denotes  the  formula  obtained  by  simul¬ 
taneously  substituting  in  p  the  right  hand  side  of  each  assignment  in  A  for  the  left  hand  side. 
Formally,  if  A  is  the  list  bi  :=  pi, . . .  ,bk  ■=  pk,  xi  :=  Xj^  -|-  ci, . . .  ,  Xn  '■=  Xj„  -|-  c^,  where  each 
bi  is  a  Boolean  variable,  each  Xj  is  a  clock  variable,  and  for  each  Xj^,  ji  =  0  or  c;  =  0,  then 

p[A]  =  p[pi/bi,...  ,pk/bk,Xj^  +Ci/xi,...  ,Xj^  +Cn/Xn] 

Assignments  are  thus  performed  via  substitutions  of  variables. 

3.  Weakest  Pre-condition:  preq-p  denotes  the  weakest  precondition  of  p  with  respect  to  the 
timed  automaton  T.  Formally, 

prerp  =  lr  f\{py  \/  pret{Ir  A  p)) 

t^S 


where  for  a  transition  t  =  p  A 


prepp)  =  p  A  p[A] 

Note  that  preq-  is  defined  using  assignments  and  Boolean  operations. 
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The  model  checking  algorithm  is  defined  inductively  on  the  structure  of  T^u  formulas: 

•  \(j)\  :=It  /\(l) 

•  A  -^\(p\ 

•  |(^i  V  (/?2|  :=  \vi\  V  \‘P2\ 

•  |t/5i  >t/52|  :=  Klv^il  V  |v32|)  '-+prer(|v32|)| 

•  \zM  ■■=  \^\[z  ■■=  0] 

•  \iiX.(p\  is  the  result  of  the  following  iteration: 

4^new  false; 

repeat 

4^old  • —  4^newi 

^new  :=  0oZ(i]h 

vet\ivn(j)oid] 

As  can  be  seen  from  the  algorithm  description  above,  apart  from  Boolean  operators,  the  main 
components  of  the  algorithm  are:  quantifier  elimination  in  the  time  elapse  operation,  substitution  of 
state  variables  in  an  assignment,  and  the  decision  procedure  used  to  check  containment  in  fixpoint 
computation.  For  a  fully  symbolic  model  checker  that  represents  state  sets  as  SL  formulas,  these 
model  checking  operators  can  be  defined  as  operations  in  QSL.  We  elaborate  below. 

Time  Elapse.  Consider  the  formula  on  the  right  hand  side  of  Equation  1,  the  definition  of  the 
time  elapse  operator.  This  formula  is  not  in  QSL,  since  it  includes  expressions  that  are  the  sum  of 
two  real  variables  (e.g.,  x  +  (5).  However,  it  can  be  transformed  to  a  QSL  formula,  by  using  instead 
of  6  and  e,  variables  5  and  e  that  represent  their  negations: 

<  xo  A  (/)2  +  {-6)  A  Ve[5  <  €  <  xo  </>i  +  (-e)]}  (2) 

Formula  2  is  expressible  in  QSL,  since  the  substitution  4>[xi  +  {—5)/xi,  1  <  i  <  n]  can  be  computed 
as  (p[5/xo].^  This  yields, 

<  xo  A  02[5/xo]  A  Ve(^  <  e  <  xo  (/>i[e/xo])}  (3) 

Finally,  we  can  rewrite  Formula  3  purely  in  terms  of  existential  quantifiers: 

3(i{(5  <  xo  A  (f>2[S/xo]  A  -<3e{e  <  xq  A  5  <  e  A  -'(/>i[e/xo])}  (4) 

A  procedure  for  performing  the  time  elapse  operation  therefore  requires  one  for  eliminating 
(existential)  quantifiers  over  real  variables  from  a  SL  formula. 

Checking  Containment.  Containment  of  one  set  of  states,  (pnew,  in  another,  (j)oid:  is  checked 
by  deciding  the  validity  of  the  SL  formula  (p  =  4>new  (poid  (or  equivalently,  the  satisfiability  of 
-!(/)).  There  are  several  procedures  that  can  decide  separation  formulas  (e.g.,  [17,  4,  15]). 

®Note  that  substituting  xo  by  5  or  e  can  be  viewed  as  shifting  the  zero  reference  point  to  a  more  negative  value, 
thus  increasing  the  value  of  any  clock  variable  relative  to  zero  (e.g.,  [5,  14]). 
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4  Model  Checking  Operations  using  Boolean  Encoding 


We  now  show  how  to  implement  the  fundamental  model  checking  operations  using  a  Boolean  encod¬ 
ing  of  separation  predicates.  We  first  describe  how  our  encoding  allows  us  to  replace  quantification 
of  real  variables  by  quantification  of  Boolean  variables.  This  builds  on  previous  work  on  deciding 
a  SL  formula  by  transformation  to  a  Boolean  formula  [17].  We  then  show  how  we  represent  SL 
formulas  as  Boolean  formulas,  allowing  the  model  checking  operations  to  be  implemented  as  op¬ 
erations  in  Quantified  Boolean  Logic  (QBL),  and  enabling  the  use  of  QBL  packages,  e.g.,  a  BDD 
package. 

In  the  remainder  of  this  section,  we  will  use  (p  to  denote  a  SL  formula  over  real  variables 
xi,X2, . . .  ,  Xn,  and  Boolean  variables  bi,b2, ...  ,  6fc.  Also,  let  ix],  xii,  c<i2G  {>,  >}. 


4.1  Prom  Real  Quantification  to  Boolean  Quantification 

Consider  the  QSL  formula  uja  =  ^Xa-4>,  where  a  G  [l..n]. 

We  transform  uia  to  an  equivalent  QSL  formula  tOhooi  with  quantifiers  over  only  Boolean  variables 
in  the  following  three  steps: 


1.  Encode  separation  predicates: 


Consider  each  separation  predicate  in  cp  of  the  form  Xi  xi  Xj+c  where  either  i  =  aor  j  =  a.  For 
each  such  predicate,  we  generate  a  corresponding  Boolean  variable  Separation  predicates 
that  are  negations  of  each  other  are  represented  by  Boolean  literals  (true  or  complemented 
variables)  that  are  negations  of  each  other;  however,  for  ease  of  presentation,  we  will  extend 
the  naming  convention  for  Boolean  variables  to  Boolean  literals,  writing  for  the  negation 

of  e-j  . 


Let  the  added  Boolean  variables  be  g^*2  ’'=*2 

and  , . . .  ,  for  the  lower  bounds  on  it. 


for  the  upper  bounds  on  Xa, 


We  replace  each  predicate  Xa  xi  Xj  -|-  c  (or  Xi>^  Xa  +  c)  in  p  by  the  corresponding  Boolean 
variable  epp  (or  eyp).  Let  the  resulting  SL  formula  be 


2.  Add  transitivity  constraints: 

Notice  that  there  can  be  assignments  to  the  and  e^p  variables  that  have  no  corresponding 
assignment  to  the  real  valued  variables.  To  disallow  such  assignments,  we  place  constraints 
on  these  added  Boolean  variables.  Each  constraint  is  generated  from  two  Boolean  literals  that 
encode  predicates  containing  Xa-  We  will  refer  to  these  constraints  as  transitivity  constraints 
for  Xa- 

A  transitivity  constraint  for  Xa  has  one  of  the  following  types: 


(a)  ^  +  g^), 

where  if  xii=xi2,  then  xi=x]i,  otherwise,  we  must  duplicate  this  constraint  for  both 
xi=xii  and  for  xi=xi2. 


(b)  ^  where  ci  >  C2  and  either  i  =  a  01  j  =  a. 

(c)  efp  where  either  i  =  a  01  j  =  a. 
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Note  that  a  constraint  of  type  (a)  involves  a  separation  predicate  (x*  ex  Xj  +  ci  +  C2).  This 
predicate  might  not  be  present  in  the  original  formula  (j).^ 

After  generating  all  transitivity  constraints  for  Xa,  we  conjoin  them  to  get  the  SL  formula 

^cons 


3.  Finally,  generate  the  QSL  formula  oJhooi  given  below: 


&<li. 

O 


'-.Be 


'31  ’‘-Jl  p  '  32 


a, 31 


Wcons  A  </>b, 


>ooZj 


We  formalize  the  correctness  of  this  transformation  in  the  following  theorem. 

Theorem  1  uja  and  tObooi  are  equivalent. 

Proof:  To  show  that  uja  and  tObooi  are  equivalent,  we  show  that  to  a  ojbooi  and  u>booi  “^a- 

Denote  the  formula  uJa  ojbooi  by  and  oJbooi  a: a  by  Note  first  that  the  free 

variables  in  both  implications  are  the  real- valued  variables  xi,X2,  •  •  •  ,  Xa-i,  Xa+i, ...  ,Xn  and  the 
Boolean  variables  61, 62;  •  •  •  ,  bk-  For  all  i  and  j,  the  values  assigned  to  x*  and  bj  by  an  assignment 
A  are  denoted  by  A[xi]  and  A\bj\  respectively. 


1.  We  first  show  that  uj^  is  valid. 


Let  A  denote  an  arbitrary  assignment  to  all  free  variables  and  to  the  bound  real  variable  Xa 
in  u)a  such  that  ^[cua]  =  true.  We  extend  A  with  an  assignment  to  the  Boolean  variables 

such  that  A[u:booi]  =  true 

and  hence  =  true. 

Define  an  evaluation  of  the  newly  added  Boolean  variables  according  to  the  following  rules: 


A[e^’^]  =  A[xa  ex  Xj  -|-  c]  Vj  /  a,  for  all  constants  c  and  relations  ex  (5) 

A[e^’^]  =  A[xi  cx  Xa  -|-  c]  Vi  /  a,  for  all  constants  c  and  relations  ex  (6) 


Since  ^[cua]  =  true,  A[cj)\  =  true.  Further,  using  Equations  5  and  6,  we  can  conclude  that 
^[Coz]  =  ^[4>]  because  ^booi  obtained  from  (f  by  replacing  predicates  (xa  ex  Xj  +  c)  and 
(xj  ex  Xa  -|-  c')  (for  all  i,j  and  for  all  constants  c,  c')  with  Boolean  variables  and 
Therefore,  A[(j)'^^^i]  =  true. 

To  show  that  A[uJbooi]  =  true,  we  need  to  additionally  show  that  =  true.  We 

consider  an  arbitrary  transitivity  constraint  of  each  type: 


(a) 


(xj  cx  Xj -h  Cl -h  C2). 

Suppose  =  true.  Then,  by  Equations  5  and  6,  we  conclude  that 

A[xi]  cxi  A[xa]  -|-  Cl  and  A[xa]  1X2  A[xj\  -|-  C2.  If  cxi=[X2=cx,  we  can  infer  A[xi]  cx 
A[xj\  -|-  Cl  -|-  C2,  and  thus  A[xi  cx  Xj  -|-  ci  -|-  C2]  =  true.  If  CX1/CX2,  then  we  can  infer 
A[xi  cxi  Xj  -|-  Cl  -|-  C2]  =  A[xi  CX2  Xj  -|-  Cl  -|-  C2]  =  true. 


(b)  e^j '  where  ci  >  C2  and  either  i  =  a  or  j  =  a. 

Suppose  =  true.  Then,  by  Equations  5  and  6,  A[xi  cxi  Xj  -|-  ci]  =  true.  Since 

Cl  >  C2,  A[xi  CX2  Xj  -|-  C2]  =  true,  and  hence  A[e^j’'^^]  =  true. 

^This  addition  is  analogous  to  the  “tightening”  step  performed  in  difference-bound  matrix  based  algorithms 
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(c)  where  either  i  =  a  oi  j  =  a. 

Exactly  as  for  type  (b)  constraints,  A[e^'^\  =  A[xi  >  Xj  +  c]  =  true.  Therefore, 
A[xi  >  Xj  +  c]  =  true  and  hence  =  true. 

Thus,  A  satisfies  all  transitivity  constraints,  and  hence  ^[</>cons]  ~  true,  completing  the  proof 
for  the  first  part. 

2.  We  now  show  that  is  valid. 

Let  A  denote  an  arbitrary  assignment  to  all  free  variables  and  to  the  bound  Boolean  variables 
in  oJhooi  such  that  A[uji)ooi]  =  true.  We  extend  A  with  an  evaluation  of  Xa  such  that  A[ijJo\  = 
true  and  hence  =  true. 

Since  A[ujhooi]  =  true,  we  know  that  ^[i;Acons]  =  true  (i.e.,  the  transitivity  constraints  are 
satisfied  by  A)  and  A[(j)'^^^i]  =  true. 

Suppose  we  can  find  a  value  A[xa]  that  satisfies  the  following  equations: 

A[xa  CXI  Xj  +  c]  =  Vj  /  a,  V  constants  c  (7) 

A[xi  1X1  Xa  +  c]  =  A[e^’'^]  \/i  a,\/  constants  c  (8) 


Then,  A[(p'^^^i]  =  A[(f>\  because  (f^tooi  obtained  from  (j)  by  replacing  predicates  (xa  cxi  Xj  +  c) 
and  (xj  CXI  Xa  +  c')  (for  all  i,j  and  for  all  constants  c,c')  with  Boolean  variables  and  el'^. 
Since  A[(l)'^^^j\  =  true,  A[4)]  =  true,  and  hence  A[(jJa]  =  true. 

A  value  A[xa]  that  satisfies  Equations  7  and  8  exists  if: 


A[Xa] 

IV 

It* 

H 

+  C 

if  ^[<’|] 

=  true 

(9) 

A[Xa] 

<  ^[Xj] 

+  C 

if  ^[<’|] 

=  false 

(10) 

A[Xa] 

>  ^[Xj] 

+  C 

if 

=  true 

(11) 

A[Xa] 

<  A[xj\ 

+  C 

if  ^[<:  •  ] 

=  false 

(12) 

In  the  above  equations,  w.l.o.g.,  we  use  literals  encoding  lower  bounds  on  Xa  (e.g., 
place  of  those  encoding  upper  bounds  (e.g., 

Let 


Ua  = 


j,c  s.t.  ey , 


min  (^[2:^]  +  c) 


=false 


in 


and 


La  = 


max 

j,c  s.t.  e^’'^=true 


{A[xj 


Ua  and  La  are  respectively  the  tightest  upper  and  lower  bounds  on  A[xc 
Define  the  ordering  relation  o  as  follows 


o  = 


if  the  tightest  bounds  are  non-strict,  i.e.,  A[xa\  <  Ua  and  A[xa\  >  La 
otherwise 


(13) 


Then,  the  inequalities  9  to  12  can  be  satisfied  if: 

Ua  ^  La 


(14) 


In  other  words,  if  the  minimum  upper  bound  on  yl[xa]  is  greater  (or  greater  than  or  equal  to) 
the  maximum  lower  bound  on  yl[xa]. 

To  show  that  the  above  is  true,  it  is  enough  to  show  that  for  any  pair  of  upper  and  lower 
bounds  on  yl[xa],  the  relation  o  holds,  and  so  it  holds  in  particular  for  the  minimum  upper 
bound  and  the  maximum  lower  bound.  For  example,  for  the  two  inequalities  yl[xa]  <  A[xj\+ci 
and  A[xa\  >  A[xi^  +  C2  to  be  true  we  need  that  A[xj\  +  ci  >  A[xk]  +  C2- 

Therefore,  consider  two  arbitrary  indices  j  and  k  different  from  a.  We  need  to  consider  four 
cases  based  on  evaluations  of  the  Boolean  literals  and  Note  that  cases  in  which 

both  literals  evaluate  to  true  or  both  to  false  only  give  rise  to  two  lower  bounds  or  to  two 
upper  bounds.  By  the  transitivity  constraints  of  types  (b)  and  (c),  if  the  minimum  upper 
bound  (or  maximum  lower  bound)  is  satisfied,  then  every  other  upper  bound  (or  lower  bound) 
will  be  satisfied. 

The  four  cases  are  enumerated  below: 


(a)  =  false,  =  true. 

This  implies  that 

A[xj]  >  A[xa]  -  Cl  and  A[xa\  >  A[xk]  +  C2 

We  need  to  show  that 

A[xj]  +  Cl  >  A[xk]  +  C2 

Or 

A[xj]  >  A[xk]  +  (c2  -  Cl) 


The  last  inequality  is  true,  since  A  satisfies  the  transitivity  constraint  e,-  A 

{Xj  >Xk  +  C2-  Cl). 

(b)  =  false,  =  true. 

This  case  is  identical  to  the  one  above,  with  >  and  >  interchanged. 

(c)  =  false,  =  true. 

This  implies  that 

A[xj\  >  A[xa]  -  Cl  and  A[xa]  >  A[xk]  +  C2 


3, a 


We  need  to  show  that 

Or 


A[xj\  +  Cl  >  A[xk]  +  C2 


A[xj\  >  A[xk]  +  (c2  -  Cl) 


The  last  inequality  is  true,  since  A  satishes  the  transitivity  constraint  t\c^^'k 

{Xj  >  Xk  +  C2-  Cl). 

(d)  Cf  =  false,  =  true. 

This  case  is  identical  to  the  one  above,  with  >  and  >  interchanged. 


Thus,  we  can  conclude  that  Equation  14  is  satisfied,  and  that  completes  the  proof  of  this 
part. 


□ 

Example  1  Let  coa  =  where  (j)  =  Xa  <  xq/\xi  >  Xq  Ax2  <  Xq.  Then,  (ptooi  ~  if  2°- 

4’cons  *-5  the  eonjunetion  of  the  following  eonstraints: 


9 


1  >,0  .  >,0  _ ^  ^ 

^  XQ>X2 

er,;  A  e-^  ^  Xi  >  X2 

Then,  ujbooi  =  3e|;f ,  e}'^ ,  -l^ions  A  ^tooi]  evaluates  to  xq  >  X2  /\  xi  >  X2-  □ 

The  quantifier  transformation  procedure  described  here  works  even  when  cj)  is  replaced  by  a 
QSL  formula  with  quantifiers  only  over  Boolean  variables. 

Note  also  that  the  transformation  procedure  we  present  here  differs  from  the  one  presented  by 
Strichman  et  ah  [17]  in  that  the  latter  is  concerned  with  preserving  satisfiability  only,  whereas  the 
former  must  produce  an  equivalent  formula  that  preserves  all  satisfying  assignments  to  the  free 
variables. 

4.2  Deciding  SL  formulas 

Suppose  we  want  to  decide  the  satisfiability  of  (j).  Note  that  cj)  is  satisfiable  iff  the  QSL  formula 
^l..n  —  X2,  .  .  .  ;  Xfi'(J^  is. 

Using  Theorem  1,  we  can  transform  to  an  equivalent  QSL  formula  uJbooi  with  existential 
quantifiers  only  over  Boolean  variables  encoding  all  separation  predicates.  As  ojbooi  is  a  QBL 
formula  with  only  existential  quantifiers,  we  can  simply  discard  the  quantifiers  and  use  a  Boolean 
satisfiability  checker  to  decide  the  resulting  Boolean  formula. 

Note  that  the  procedure  described  above  can  be  viewed  as  one  way  to  implement  the  procedure 
of  Strichman  et  al.  [17]. 

4.3  Representing  SL  Formulas  as  Boolean  Formulas 

In  our  presentation  up  to  this  point,  we  have  not  used  any  specific  representation  of  SL  formulas. 
In  practice,  we  encode  a  SL  formula  (/>  as  a  Boolean  formula  /?.  The  encoding  is  performed  as 
follows.  Consider  each  separation  predicate  x*  cxi  xj +  c  in  (f).  As  in  Section  4.1  earlier,  we  introduce 
a  Boolean  variable  for  Xi  cxi  Xj  +  c,  only  this  time  we  do  it  for  every  single  separation  predicate. 
Also  as  before,  separation  predicates  that  are  negations  of  each  other  are  represented  by  Boolean 
literals  that  are  negations  of  each  other.  We  then  replace  each  separation  predicate  in  cj)  by  its 
corresponding  Boolean  literal.  The  resulting  Boolean  formula  is  f3. 

Clearly,  /3,  by  itself,  stores  insufficient  information  for  generating  transitivity  constraints.  There¬ 
fore,  we  also  store  the  1-1  mapping  of  separation  predicates  to  the  Boolean  literals  that  encode 
them.  However,  this  mapping  is  used  only  lazily,  i.e.,  when  generating  transitivity  constraints 
during  quantification  and  in  deciding  SL  formulas. 

4.3.1  Substitution. 

Civen  the  representation  described  above,  we  can  implement  substitution  of  a  clock  variable  as 
follows.  For  a  clock  variable  Xj,  we  perform  the  substitution  [xi  <—  Xk  +  d]  (where  A:  =  0  or 
d  =  0),  by  replacing  all  Boolean  variables  of  the  form  e^j^  and  e^^'^  ,  for  all  j,  by  variables 

and  respectively,  creating  fresh  replacement  variables  if  necessary.  Substitution  of  a 

Boolean  state  variable  by  the  Boolean  encoding  of  a  separation  formula  is  done  by  Boolean  function 
composition. 
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5  Optimizations 


The  methods  presented  in  Section  4  can  be  optimized  in  a  few  ways.  First,  we  can  be  more 
selective  in  deciding  when  to  add  transitivity  constraints.  Second,  we  can  compute  the  time  elapse 
operator  more  efficiently  by  a  method  that  does  not  explicitly  introduce  the  bound  real  variable 
e,  and  hence  does  not  introduce  new  quantifiers  over  Boolean  variables.  The  third  optimization 
concerns  eliminating  paths  in  a  BDD  representation  that  violate  transitivity  constraints.  As  is 
well-known,  the  size  of  a  BDD  is  very  sensitive  to  the  number  and  ordering  of  BDD  variables. 
In  the  case  of  model  checking  timed  automata,  new  Boolean  variables  are  created  as  the  model 
checking  proceeds,  while  generating  transitivity  constraints,  and  while  performing  substitutions  of 
clock  variables.  This  has  the  potential  to  add  several  BDD  variables  on  each  iteration.  Finally,  we 
can  use  an  over-approximation  technique  to  to  reduce  the  number  of  BDD  variables  added  on  each 
model  checking  iteration.  While  all  four  techniques  presented  in  this  section  help  in  reducing  the 
number  of  BDD  variables,  only  the  last  two  are  specialized  for  BDDs. 

5.1  Determining  if  Bounds  are  Conjoined 

Suppose  (/>  is  a  SL  formula  with  Boolean  encoding  /3,  and  we  wish  to  eliminate  the  quantifier  in 
3xa-4>-  As  described  in  Section  4.1,  a  transitivity  constraint  for  Xa  involves  two  Boolean  literals  that 
encode  separation  predicates  involving  Xa-  For  a  syntactic  representation  of  /3,  as  the  number  of 
constraints  grows,  so  does  the  size  of  [Peons  ^  Pbooil^  Boolean  encoding  of  [Peons  ^  Ptooil-  Further, 
new  separation  predicates  can  be  added  when  a  transitivity  constraint  is  generated  from  an  upper 
bound  and  a  lower  bound  on  Xa-  For  a  BDD-based  implementation,  this  corresponds  to  the  addition 
of  a  new  BDD  variable.  We  would  therefore  like  to  avoid  adding  transitivity  constraints  wherever 
possible. 

In  fact,  we  only  need  to  add  a  constraint  involving  an  upper  bound  literal  and  a  lower  bound 
literal  if  they  are  conjoined  in  a  minimized  DNF  representation  of  pP  From  a  geometric  viewpoint, 
this  means  that  we  check  that  the  predicates  corresponding  to  the  two  literals  are  bounds  for  the 
same  convex  clock  region.  This  check  can  be  posed  as  a  Boolean  satisfiability  problem,  which 
is  easily  solved  using  a  BDD  representation  of  p.  Let  the  literals  be  ei  and  62-  Then,  we  use 
cofactoring  and  Boolean  operations  to  compute  the  following  Boolean  formula: 

Cl  A  62  A  [/3|ei=true  A  ~'(/3|ei=false)]  A  [P\e2  =true  A  ~'(/3|e2=false)]  (15) 

Consider  the  subformula  e*  A  [P\ei=true  A  “'(/3|ei=faise)]  for  i  =  1,2.  This  formula  represents  the 
set  of  input  combinations  e  in  which  e*  must  be  set  to  true  in  order  for  P(e)  to  evaluate  to  true. 
Thus,  the  conjunction  of  the  subformulas  for  i  =  1  and  i  =  2  is  satisfiable  only  if  there  exists  a 
non-empty  set  of  input  combinations  e  in  which  both  ei  and  62  must  be  set  to  true  for  P(e)  to 
evaluate  to  true.  Viewed  alternately.  Formula  15  expresses  the  Boolean  function  corresponding  to 
the  disjunction  of  all  terms  in  the  minimized  DNF  representation  of  P  that  contain  both  ei  and  62 
in  true  form.  Therefore,  if  Formula  15  is  satisfiable,  it  means  that  ei  and  62  are  conjoined,  and  we 
must  add  a  transitivity  constraint  involving  them  both. 

Note  however,  that  since  P  does  not,  by  itself,  represent  the  original  SL  formula  p,  finding  that 
ei  and  62  are  conjoined  in  P  does  not  imply  that  they  are  bounds  in  the  same  convex  region  of  p. 
However,  the  converse  is  true,  so  our  method  is  sound. 

conservative,  syntactic  variant  of  this  idea  has  been  proposed  earlier  by  Strichman  [16]. 
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5.2  Quantifier  Elimination  by  Eliminating  Upper  Bounds  on  xq 

The  definition  of  the  time  elapse  operation  introduces  two  quantified  non-clock  real  variables:  5 
and  e.  We  can  exploit  the  special  structure  of  the  QSL  formula  for  the  time  elapse  operation  so 
as  to  avoid  introducing  e  altogether.  Thus,  we  can  avoid  adding  new  quantified  Boolean  variables 
encoding  predicates  involving  e. 

Consider  the  inner  existentially  quantified  SL  formula  in  Formula  4  in  Section  3,  reproduced 
here: 


3e(e  <  Xq  A  (5  <  e  A  -'i;i)i[e/xo]) 

Grouping  the  inequality  6  <e  with  the  formula  -'(/>i[e/xo],  we  get: 

3e{e  <  xo  A  (5  <  xo  A -.(/>i)[e/xo]}  (16) 

Finally,  treating  5  as  a  clock  variable,  we  can  revert  back  to  e  from  e,  transforming  Formula  16 
to  the  following  form: 

3e[e  >  xo  A  (5  <  xo  A  +  c]  (17) 

Formula  17  is  a  special  case  of  the  formula  u)^  given  by 

oje  =  3e.e  >  Xq  /\  (j)  -\-  e 

for  some  SL  formula  (j).  From  a  geometric  viewpoint,  (j)  is  a  region  in  and  is  the  shadow 
of  (p  for  a  light  source  at  oo^.  Examples  of  p  and  the  corresponding  are  shown  in  Figures  1(a) 
and  1(c)  respectively. 

We  can  transform  uje  to  an  equivalent  SL  formula  pub  by  eliminating  upper  bounds  on  xq,  i.e.. 
Boolean  variables  of  the  form  The  transformation  is  performed  iteratively  in  the  following 

steps: 

1.  Let  po  =  p.  Let  •  •  •  >  be  Boolean  literals  encoding  all  upper  bounds  on 

Xq  that  occur  in  p. 

Note  that  an  upper  bound  literal  occurs  in  (/>,  if  it  appears  in  some  term  in  the  min¬ 

imized  DNF  representation  of  p.  This  can  be  checked  by  evaluating  the  Boolean  function 
[P\  A  -'(/3|  Xj,cj_  )],  where  (3  is  the  Boolean  encoding  of  p,  and  checking  that  it 

—true  — talse 

is  not  false. 


2.  For  j  =  1,2, . . .  ,m,  we  construct  pj  as  follows: 


(a)  Replace  all  occurrences  of  Xi^  cxi^  xq  +  Cj  in  pj-i  with  to  get  p^’J^i 

(b)  Construct  pcorP^,  the  conjunction  of  all  transitivity  constraints®  for  xq  involving 
and  clock  variables  in  p^’J^i 

(c)  Construct  the  formula  pj,  a  disjunction  of  two  terms: 


4’,  =  mtii"  f'  <plV)i 


hS  ■’=true 


}  V  {[-(xi.  CXj  xo  +  cj)]  A 


aS  ■’=false 


]} 


The  first  disjunct  is  the  region  obtained  by  dropping  the  bound  Xi^  xq  +  cj  from 
convex  sub-regions  of  pj-i  where  it  is  a  lower  bound  on  Xi^,  while  letting  time  elapse 
backward.  The  second  disjunct  corresponds  to  sub-regions  where  ~^{xi^  cxi^  xq  +  Cj)  is 
an  upper  bound;  these  regions  are  left  unchanged. 


®We  can  use  the  optimization  technique  of  Section  5.1  in  this  step. 
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The  output  of  the  above  transformation,  (j)ub,  is  given  by  (i)ub  =  4>m-  The  correctness  of  this 
procedure  is  formalized  in  the  following  theorem. 

Theorem  2  and  cp^b  equivalent. 

Proof:  We  make  use  of  the  following  lemmas. 

Lemma  1  For  all  j  =  1, . . .  ,  m,  3e.e  >  xq  A  (pj-i  +  e  is  equivalent  to  3e.e  >  xq  A  4>j  +  e- 
Proo/.'(Lemma  1) 

We  give  the  proof  for  an  arbitrary  j  satisfying  1  <  j  <  m.  Let  ooj-i  and  ujj  respectively  denote 
3ej_i.ej_i  >  xo  A  (pj-i  +  ej-i  and  3ej.ej  >  xq  A  4>j  +  ej.  Notice  that  we  have  renamed  the  bound 
variable  e. 


1.  First,  we  show  that  <Xj-i  tVj.  Let  A  be  an  assignment  to  the  free  and  bound  variables  in 
ojj-i  such  that  A[u:j-\\  =  true.  This  means  that  A[(j)j-i  +  ej_i]  =  true.  Extend  A  so  that 
A[ej\  =  A[ej-i\.  Thus,  A[ej-i  >  xq]  =  A[ej  >  xq]  =  true. 

We  consider  two  cases. 


(a)  Case  1:  A[{xi.  xq  +  cj)  +  ej-i]  =  true. 

Note  that  by  construction, 

(t>hool^  =  /{Xi.  >3^  xo  +  Cj)] 

From  the  two  equalities  above,  and  since  A[ej\  =  ^[ej_i],  we  get 


A[(l)j-i  +  Cj-l]  -  A[4)l7ol 


In  addition,  the  transitivity  constraints  are  satisfied,  i.e.. 


Pd-i| 


cons  =true  ^ 


=  true 


because  only  involves  real- valued  variables.  Therefore, 


A[(j)j-1  +  €j-i]  -  A[{(j)l’Jol  ^  A  +  Cj] 


Thus,  we  conclude  that 


+  Cj-i]  =  A[(pj  +  Cj]  =  true 


which  in  turn  implies  that 


>  Xo  A  4>j-i  +  Cj-i]  =  yl[ej  >  xo  A  (pj  +  ej]  =  true 


and  so 


A[ujj-i]  =  A[ujj\  =  true 


This  concludes  the  first  case. 
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(b)  Case  2:  A[{xi^  \Xij  xq  +  Cj)  +  ej_i]  =  false. 

Since 

/{xi^  +  Ci)] 

and,  in  addition,  A[ej\  =  A[ej-i]^  we  have 

A[4>j-1  +  ej-i]  =  A[(j)l'^^i  \‘^J^=false  + 

tj,Q 

Now,  since  A[(f)j-i  +  ej-i]  =  true,  we  get 

ipU 

and 

A[[^{Xi.  CXj  Xo  +  Cj)  A  <7°;o7\'^>’"^=false]  +  ^7  = 

^j,0 

and  so,  we  conclude  that 

A[(j)j  +  Cj]  =  A[ej  >  Xo  A  (/>j  +  Cj]  =  A[ujj\  =  true 


which  concludes  case  2. 


Thus,  Wj_i  u)j. 

2.  We  next  show  that  ujj 

Let  A  be  an  assignment  to  the  free  and  bound  variables  in  u)j  such  that  A[iOj\  =  true.  This 
means  that  +  Cj]  =  true.  We  wish  to  extend  A  by  an  assignment  to  Cj-i  so  that 
A[(j)j-i  +  Cj-i]  =  true  and  >  xq]  =  true. 

We  consider  two  cases. 


(a)  Case  1:  ^[(0°;^^^  ^ 

A  <7con7)le"^J^"j=true  + 

Therefore, 

=  true 

and 

=  true 

If  A[{xi.  txij  Xo  +  Cj)  +  Cj]  =  true,  then  using  the  equality 

'7°;o7^  =  <7i-i[e5o''V(a;A  +  Cj)] 


(18) 


(19) 


we  can  set  yl[ej_i]  =  A[ej\^  which  yields  A[{xi.  iXj  xo  +  Cj)  +  Cj-i]  =  true,  and  so  using 
Equations  18  and  19,  we  get 


A[(l>j^i  +  Cj-i]  =  A[(l)j  +  Cj]  =  true 


(20) 


However,  if  H[(xj.  cxij  xq  +  Cj)  +  Cj]  =  false,  then  we  must  find  an  alternate  assignment 
to  Cj-i,  such  that  A[{xi.  cxij  xo  +  Cj)  +  Cj-i]  =  true.  Then,  we  can  conclude,  as  above, 
that  Equation  20  holds. 
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Consider,  w.r.t.  the  assignment  A,  all  lower  bounds  on  xq  that  occur  in  +  ej  (and 
hence  in  idol's  precisely,  a  lower  bound  on  xq  is  a  predicate  (xq  ixi^  Xi^+Ck)+ej 

such  that  A[{xq  Mfc  +  Ck)  +  ej]  =  true. 

If  no  such  lower  bound  on  xq  exists,  then  we  can  set  ej_i  to  any  value  that  results  in 
A[{xi.  ixij  xo  +  Cj)  +  Cj-i]  =  true,  because  there  is  no  lower  bound  to  be  violated  by 
increasing  the  value  of  a  clock  variable. 

So  suppose  at  least  one  lower  bound  on  xq  exists  in  (fij-i-  Define  the  value  Vg  as 

Vs  =  min  {-Ck  -  A[xi^  +  e^])  (21) 

k  s.t.  A[{xo]X\}^Xi^-\-Ck)+ej]=true 

Note  that  x*  >  0  since  ^[(xq  iXfc  Xjj,  +  Ck)  +  Cj]  =  true  for  all  k  in  Equation  21. 

Let  I  be  the  k  for  which  the  minimum  on  the  right-hand  side  of  Equation  21  is  attained. 
If  there  are  many  such  k,  say  ki,k2,  ■  ■  ■  ,kd,  set  I  according  to  the  following  rules: 

i.  If  there  exists  ki  for  which  ixifc.=>,  set  I  to  any  one  such  ki. 

ii.  Otherwise  select  I  to  be  any  one  of  ki,  k2,  ■  ■  ■  ,kd- 
Thus, 

Vs  =  -Cl  -  A[xii^  +  Cj]  (22) 

Next,  we  define  a  positive  real  number  x  as  follows: 

_  I  Xo  if  tx]i=>,  and  where  xo  e  (0,  A[xi.  -  x^  -  cj  -  q]) 

^  1  0  otherwise 


Note  that  A[xi.  —  Xjj  —  cj  —  q]  is  non-negative  and  is  strictly  positive  when  ix]/=>.  This 
is  because  there  exists  a  transitivity  constraint  in  (pcorTs^  of  the  form 

^  +  Cz)  {Xij  CXlj  Xii  -h  Cj  -h  Cl) 

which  occurs  in  (/>cons^|  as 

,0  — ti'u® 

(xo  CXlZ  Xj(  -h  Cl)  {Xi-  \Xij  Xi^  -h  Cj  -h  Cl) 

If  the  following  constraint  also  holds: 

(xo  1X1;  Xj(  -h  Cl)  {Xi.  XI;  Xj;  -h  Cj  C;) 


Since  A[(xo  xi;  x;,  +  ci)  +  Cj]  =  true,  the  following  equalities  hold: 


A[{xi.  xij  Xi,  -h  Cj  -h  Cl)  +  Cj]  =  A[xi.  txij  Xi,  -h  Cj  -h  Cl]  =  true  (24) 

A[{xij  XI;  Xi,  +  Cj  + Cl)  +  €j]  =  A[xij  XI;  Xi,  Cj  c;]  =  true  (25) 

Thus,  A[xij  —  x^  —  Cj  —  Cl]  is  non-negative  and  is  strictly  positive  when  X];=>. 

We  now  show  that  x*  —  y  >  0.  If  x  =  0,  clearly  x*  —  x  >  0.  So,  assume  that  xci;=>,  and 
thus  X  £  (0,  A[xij  —  x^  —  Cj  —  Cl]).  Then  we  can  conclude  the  following: 


Vs-X  =  -Cl-  A[x^]  -  A[ej]  -  X 

>  -Cl  -  A[xi,]  -  A[€j]  -  A[xi.  -  Xi,  -  Cj  -  Cl] 

=  -Cl  -  A[xi^]  -  A[€j]  -  A[xi.]  -h  A[xi^]  -h  Cj  -h  Cl 
=  Cj  -  A[xi.]  -  A[€j] 

>  0  (since  A[{xij  xij  xq  -|-  Cj)  -|-  Cj]  =  false) 
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Intuitively,  —  x  is  a  non-negative  real  number  we  can  add  to  all  clock  variables  without 

violating  lower  bounds  on  xq  in  (j)j-i  +  ej. 

Now,  define  A[ej-\\  as  follows: 

A[ej-i]  =  A[ej\  +  Vs-X  (26) 

Since  —  x  >  0,  A[ej-i\  >  A[ej\. 

Given  the  above  assignment  to  ej_i,  we  first  show  that  A[{xi.  cxij  xo  +  Cj)  +  ej-i]  =  true. 
We  have  the  following  sequence  of  equalities: 

A[{xi.  cxij  xo  +  Cj)  -h  ej-i] 

=  A[xi.]  +  A[€j-i]  Cj 
=  A[xi.]  tx3j  Cj  -  A[ej-i] 

=  A[xi.]  Cj  -Vs  +  X-  A[ej] 

=  M,  xAc,-  +  e,]  -  c»)  -  .4fe] 

=  A[xi.]  x  +  Cj  +  iA[x^  +  Cj]  +  Cl)  -  A[ej] 

=  A[xi.]  X  +  A[xi^]  -h  Cj  -h  Cl 

=  true  (since  x  £  (0,  A[xj  —  xi  —  Cj  —  c;])  and  from  Eqn.  24) 

We  next  show  that  the  assignment  to  Cj-i  in  Equation  26  preserves  the  truth  assignment 
to  other  bounds  on  xq]  i.e.,  bounds  in  (pj^i  +  Cj  other  than  (xi.  cxij  xo  +  Cj)-|-ej.  Eormally, 
we  show  that  for  all  bounds  xq  txik  +  Ck  where  k  ^  j: 

A[{xo  cxifc  X4  -h  Ck)  +  Cj-i]  =  A[{xo  cxifc  X4  -h  Ck)  +  Cj] 

Note  that  the  value  of  separation  predicates  of  the  form  cxi  x^^  -|-  is  unaffected 
by  the  assignment  to  Cj  or  Cj-i. 

If  A[{xo  CXI;;.  X4  -|-  Ck)  +  Cj]  =  false,  then  A[{xq  ixi^  x^  -|-  Ck)  +  ^j-i]  =  false,  since 
A[ej-i]  >  A[ej]. 

On  the  other  hand,  if  ^[(xq  cx];;.  Xjj,  -|-  Ck)  +  Cj]  =  true,  then 
y4[(xo  cxifc  X4  -h  Ck)  +  Cj-i] 

=  0  [Xlfc  -\-  Ck  + 

=  0  cxifc  ^[Xjj  +  Ck  +  A[ej]  +  Vs-x 
=  0  cxifc  (cfc  -h  A[xi^])  -h  A[ej\  -h  {-ci  -  A[xi^  -h  e^-])  -  x 
=  {-Ck  -  A[xi^])  fxik  {-Cl  -  A[xi^])  -  X 
=  true  (since  x  ^  0  and  from  Equations  21  and  22) 

To  sum  up,  we  have  shown  that  A[{xi.  cxi^  xo  +  Cj)-|-ej_i]  =  true,  even  though  A[{xi.  t<j 
Xo  Cj)  +  Cj]  =  false.  Thus,  we  can  conclude  that 

A[4>j_i  +  €j-i]  =  A[(j)j  -I-  Cj]  =  true 

This  completes  the  proof  for  the  first  case. 
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(b)  Case  2:  A[[^{xij  xq  +  cj)  A  =faisJ  + 

ij  ,0 

Thus 

^[<^°oo7'Lj^A=f,„e  +  ei]=true 

and 


A[{xij  txij  xq  +  Cj)  +  ej]  =  false 
Letting  yl[€j_i]  =  A[ej\  and  from  Equation  19,  we  get 

A[4)j_i  +  ej_i]  =  true 


as  required. 

Thus,  ojj  ^j-i- 

From  parts  1  and  2  above,  we  conclude  that  u)j-i  and  ujj  are  equivalent. 

□ 

Lemma  2  Suppose  the  SL  formula  0  does  not  eontain  any  separation  predieates  that  are  upper 
bounds  on  xq;  i.e.,  any  satisfying  assignment  to  (j)  sets  all  upper  bounds  on  xq  to  false,  and  all 
lower  bound  predieates  to  true.  Then,  3e.e  >  xq  A  (j)  +  e  is  equivalent  to  (j)- 

Proof'fLemma  2) 

We  first  show  that  (f  (3e.e  >  xq  A  (/>  +  e). 

Let  A  be  an  assignment  to  the  variables  in  (p  such  that  yl[(/)]  =  true.  We  extend  A  with  an 
evaluation  of  e  so  that  A[e\  =  0  =  ^[xq].  Then,  A[€  >  xq  A  cp  +  e]  =  true,  since  A[(p  +  e]  =  A[(p]. 
Therefore,  yl[3e.e  >  xq  A  (p  +  e]  =  true.  Thus,  <p  (3e.e  >  xq  A  (p  +  e). 

Next,  we  show  that  (3e.e  >  xq  A  (p  +  e)  (p-  Let  A  be  an  assignment  such  that  yl[3e.e  > 

Xq  A  (p  +  e]  =  true.  Thus,  A[e  >  xq]  =  true  and  A[(p  +  e]  =  true.  Since  (p  does  not  contain 
any  separation  predicates  that  are  upper  bounds  on  xq,  for  any  lower  bound  xq  ixi^  Xk  +  Ck  on  xq, 
y4[(xo  cxifc  Xk  +  Ck)  +  e]  =  true  and  for  an  upper  bound  x;  txi;  xq  +  Q  on  xq,  ^[(x;  ixi;  xq  +  q)  +  e]  = 
false. 

Then,  since  ^[e]  >  0, 

y4[(xo  cxifc  Xk  +  Ck)  +  e]  =  true  =  yl[xo  tOfc  (xfc  +  e)  +  Ck]  =  A[xo  ixi^  Xk  +  Ck] 

Similarly,  for  an  upper  bound  predicate  on  xq,  A[xi  cxi;  xq  +  c;]  =  false. 

It  then  follows  that  A[(p]  =  true. 

□ 

From  Lemma  1,  we  infer  that  tOe  =  3e.e  >  xq  A  (/>o  +  e  is  equivalent  to  3e.e  >  xq  A  (pm  +  c. 
Additionally,  since  (pm  does  not  contain  any  upper  bounds  on  xq,  using  Lemma  2,  we  conclude  that 
We  is  equivalent  to  (pm  =  (pub-  This  completes  the  proof  of  Theorem  2.  □ 

Example  2  Let  the  subformula  (p  of  We  be 

(p  =  {xi  >  Xq  +  3  A  X2  <  Xq  +  2)  V  (xi  <  Xq  +  3  A  X2  >  Xq  +  3) 

(p  is  depieted  geometrieally  as  the  shaded  region  in  Figure  1(a).  It  eomprises  two  sub-regions,  one 
for  eaeh  disjunet.  The  lower  bounds  on  these  regions,  xi  >  xq  +  3  and  X2  >  xq  +  3,  are  upper 
bounds  on  xq.  We  eneode  these  by  e^Q  and  . 
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Figure  1(b)  shows  the  result  of  eliminating  e^Q^.  Formally,  we  ealeulate 

^b’ool  =  A  X2  <  xo  +  2)  V  A  X2  >  xo  +  3) 

(Pcons  =  (er,0*  A  X2  <  Xo  +  2)  ^  (xi  >  X2  +  1) 

Then,  applying  step  2(e)  of  the  transformation,  we  get 

<fi  =  {x2  <  Xq  +  2  A  Xi  >  X2  +  1)  V  (xi  <  Xq  +  3  A  X2  >  Xq  +  3) 

Similarly,  in  the  next  iteration,  we  introduee  and  eliminate  e^Q  to  get  (j)2,  shown  in  Figure  1(e), 
whieh  is  equivalent  to  □ 

Note  that  the  QSL  formula  obtained  after  eliminating  the  inner  quantifier  in  Formula  4  is  not 
of  the  form  and  so  we  cannot  avoid  introducing  the  5  variable. 


(a)  4>0  =  (j}  (b)  (pi  (c)  (p2  =  IVe 

Figure  1:  Eliminating  upper  bounds  on  xq 


(a)  Exact  (b)  Weakened 

Figure  2:  Weakening  Transitivity  Constraints.  The  shaded  area  denotes  the  region  satisfying 
the  constraint. 


5.3  Overapproximation  by  Weakening  Transitivity  Constraints 

In  spite  of  the  methods  of  Sections  5.1  and  5.2,  generating  transitivity  constraints  while  eliminating 
the  quantifier  on  S  might  create  too  many  new  BDD  variables,  causing  the  BDD  to  blow  up.  In 
the  case  of  reachability  properties,  a  partial  solution  is  to  weaken  the  transitivity  constraints  added 
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so  as  to  not  create  new  variables,  yielding  an  overapproximation  of  the  time  elapse  operation. 
For  reachability  properties,  overapproximating  the  time  elapse  (“pre”)  operation  makes  our  model 
checking  procedure  incomplete,  but  retains  soundness. 

Consider  a  transitivity  constraint  for  5  of  type  (a)  as  defined  in  Section  4.1,  reproduced  below: 

[Xll,Cl  .  [Xl2,C2  V  /  r.  ^  I  I  \ 

e.^’  Ae^.’  (xi  CXI  Xj  +  Cl  +  C2) 

1,(5  0,3 

We  replace  the  above  constraint  by  the  following  weakened  constraint: 

gM_i,ci  A  g^2,C2  [(xj  cxii  Xo  +  Cl)  V  (xo  IXI2  Xj  +  C2)]  (27) 

The  difference  between  the  two  constraints  is  depicted  geometrically  in  Figure  2. 

Note  that  the  consequent  of  the  weakened  constraint  (Formula  27)  only  involves  separation 
predicates  involving  Xi,Xj,  and  xq,  and  these  already  occurred  in  formula  4>  of  Formula  4,  since 
they  are  the  predicates  in  which  6  was  substituted  for  xq.  Thus,  we  avoid  adding  new  BDD 
variables. 

5.4  Eliminating  Infeasible  Paths  in  BDDs 

Suppose  (3  is  the  Boolean  encoding  of  SL  formula  (/>.  Let  (j)cons  denote  the  conjunction  of  transitivity 
constraints  for  all  real-valued  variables  in  (f),  and  let  f3cons  denote  its  Boolean  encoding.  Finally, 
denote  the  BDD  representations  of  (3  and  (3 cons  by  Bdd(/3)  and  Bdd (/3cons)  respectively. 

We  would  like  to  eliminate  paths  in  Bdd(/3)  that  violate  transitivity  constraints,  i.e.,  those 
corresponding  to  assignments  to  variables  in  /3  for  which  Peons  =  false.  We  can  do  this  by  us¬ 
ing  the  BDD  Restrict  operator,  replacing  Bdd(/3)  by  Restrict  (Bdd(/3),  Bdd(/3cons)) •  Informally, 
Restrict  (Bdd(/3) ,  Bdd(/3cons))  traverses  Bdd(/3),  eliminating  a  path  on  which  Peons  is  false  as 
long  as  it  doesn’t  involve  adding  new  nodes  to  the  resulting  BDD.  Details  about  the  Restrict 
operator  may  be  found  in  the  paper  by  Coudert  and  Madre  [9] . 

Since  eliminating  infeasible  paths  in  a  large  BDD  can  be  quite  time  consuming,  we  only  apply 
this  optimization  to  the  BDD  for  the  set  of  reachable  states,  once  on  each  fixpoint  iteration. 

6  Experimental  Results 

We  implemented  a  model  checker  that  uses  BDDs  to  represent  Boolean  functions  and  incorporates 
all  the  optimizations  described  in  Section  5.  The  model  checker  is  written  in  the  OCaml  language 
and  uses  the  CUDD  package^  for  BDD  manipulation.  We  have  performed  preliminary  experiments 
comparing  the  performance  of  our  model  checker  for  both  reachability  and  non-reachability  TCTL 
properties,  without  using  the  over-approximation  scheme  of  Section  5.3.  For  reachability  properties, 
we  compare  against  the  other  unbounded,  fully  symbolic  model  checkers,  viz.,  a  DDD-based  checker 
(DDD)  [14]  and  Red  version  4.1  [18],  which  have  been  shown  to  outperform  Uppaal2k  and 
Kronos  for  reachability  analysis.  For  non-reachability  properties,  such  as  checking  that  a  system 
is  non-zeno,  we  compare  against  Kronos  and  Red,  the  only  other  unbounded  model  checkers  that 
check  such  properties. 

As  an  illustrative  example,  we  use  Fischer’s  protocol  for  mutual  exclusion.  Tools  such  as  DDD 
and  Red  that  we  compare  against  have  been  shown  to  perform  well  on  this  example  for  reachability 
properties.  The  automaton  for  the  ith  process  in  this  protocol  is  shown  in  Figure  3.  We  ran  two 

^http: //vlsi . Colorado . edu/~f abio/CUDD 
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experiments  with  this  example.  The  first  experiment  compared  our  model  checker  against  DDD  and 
Red,  checking  that  the  system  preserves  mutual  exclusion  (a  reachability  property).  In  the  second 
experiment,  we  compared  against  Kronos  and  Red  for  checking  that  the  product  automaton  is 
non-zeno  (a  non-reachability  property).  All  experiments  were  run  on  a  notebook  computer  with  a 
1  GHz  Pentium-Ill  processor  and  128  MB  RAM,  running  Linux.  We  ran  DDD,  Kronos,  and  Red 
with  their  default  options.  For  our  implementation,  we  turned  off  dynamic  variable  reordering  in 
CUDD.  To  come  up  with  a  static  variable  ordering,  we  classified  the  BDD  variables  in  our  Boolean 
encoding  as  follows.  The  first  class,  Cid,  consists  of  variables  encoding  the  shared  integer  id.  For 
each  i,  class  C{i)  contains  the  BDD  variables  encoding  locations  and  clock  constraints  for  process  i. 
Finally,  class  C{i,j)  encodes  predicates  relating  clock  variables  from  processes  i  and  j.  We  used  a 
static  variable  ordering  that  groups  together  variables  in  the  same  class,  places  class  Cid  at  the  top, 
orders  C{i)  before  C{j)  if  i  <  j,  and  places  C{i,j)  right  after  C{j)  for  j  >  i.  New  BDD  variables 
added  during  model  checking  are  inserted  into  the  order  at  positions  that  depend  upon  the  class 
they  fall  into.  The  same  static  variable  order  was  used  for  the  corresponding  Boolean  variables  and 
separation  predicates  in  DDD. 


Figure  3:  Fischer’s  mutual  exclusion  protocol.  The  timed  automaton  for  the  ith  process  is 
shown. 

Table  1  shows  the  results  of  the  comparison  against  DDD  and  Red  for  checking  mutual  exclusion 
for  increasing  numbers  of  processes.  We  refer  to  our  model  checker  as  TMV.  For  DDD  and  TMV, 
the  table  lists  both  the  run-times  and  the  peak  number  of  nodes  in  the  decision  diagram  for  the 
reachable  state  set.  We  find  that  DDD  outperforms  TMV  due  to  the  blow-up  of  BDDs.  In 
spite  of  the  optimizations  of  Section  5,  the  peak  node  count  in  the  case  of  DDD  is  less  than  that 
for  TMV  for  the  larger  benchmarks.  In  particular,  in  addition  to  eliminating  infeasible  paths  as 
TMV  does,  the  local  reduction  operations  performed  by  DDD  during  node  creation  can  eliminate 
unnecessary  DDD  nodes  without  adding  any  time  overhead.  For  example,  DDD  can  reduce  a 
function  of  the  form  ei  A  62  A  63  under  the  transitivity  constraint  [ei  A  62]  63  to  simply  the 

conjunction  ei  A  €2-  The  BDD  Restrict  operator  cannot  always  achieve  this  as  it  is  sensitive 
to  the  BDD  variable  ordering.  Furthermore,  TMV  contains  many  other  BDDs,  such  as  those 
for  the  transitivity  constraints,  to  which  we  do  not  apply  the  Restrict  optimization  due  to  its 
runtime  overhead.  Finally,  in  comparison  to  Red,  we  see  that  while  TMV  is  faster  on  the  smaller 
benchmarks.  Red’s  superior  memory  performance  enables  it  to  complete  for  7  processes  while 
TMV  runs  out  of  memory. 

Table  2  shows  the  comparison  with  Kronos  and  Red  for  checking  non-zenoness.  The  time 
for  Kronos  is  the  sum  of  the  times  for  product  construction  and  backward  model  checking.  We 
notice  that  while  Kronos  does  better  for  smaller  numbers  of  processes,  the  product  automaton 
it  constructs  grows  very  quickly,  becoming  too  large  to  construct  at  6  processes.  The  run  times 
for  TMV,  on  the  other  hand,  grow  much  more  gradually,  demonstrating  the  advantages  of  a 
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Number  of 
Processes 

Red 

DDD 

TMV 

Time 

(sec.) 

Time 

(sec.) 

Reach  Set 
(peak  nodes) 

Time 

(sec.) 

Reach  Set 
(peak  nodes) 

3 

0.21 

0.06 

130 

0.11 

101 

4 

1.13 

0.14 

352 

0.38 

316 

5 

4.53 

0.33 

854 

1.85 

1127 

6 

15.11 

0.90 

2375 

17.41 

4685 

7 

46.31 

2.65 

6346 

* 

* 

Table  1:  Checking  mutual  exclusion  for  Fischer’s  protocol.  A  indicates  that  the  model 
checker  ran  out  of  memory. 


fully  symbolic  approach.  For  this  property,  the  BDDs  remain  small  even  for  larger  numbers  of 
processes.  Thus,  TMV  outperforms  Red,  especially  as  the  number  of  processes  increases.  These 
results  indicate  that  when  the  representation  (BDDs)  remains  small.  Boolean  methods  for  quantifier 
elimination  and  deciding  SL  can  outperform  non-Boolean  methods  by  a  significant  factor. 


Number  of 

Processes 

Kronos 
Time  (sec.) 

Red 

Time  (sec.) 

TMV 

Time  (sec.) 

Reach  Set 
(peak  nodes) 

3 

0.03 

0.28 

0.24 

28 

4 

0.23 

1.30 

0.44 

39 

5 

1.98 

5.05 

0.80 

54 

6 

* 

17.80 

2.15 

69 

7 

* 

57.95 

6.61 

88 

Table  2:  Checking  non-zenoness  for  Fischer’s  protocol.  A  indicates  that  Kronos  exited 
with  an  “out  of  memory”  error. 

Although  they  are  preliminary,  our  results  indicate  that  our  model  checker  based  on  a  general 
purpose  BDD  package  can  outperform  methods  based  on  specialized  representations  of  SL  formu¬ 
las.  The  drawback  of  our  BDD-based  implementation  is  its  poor  memory  performance  on  some 
examples.  However,  there  is  still  scope  for  improving  our  implementation,  especially  in  finding 
more  efficient  ways  of  eliminating  unnecessary  BDD  nodes  as  is  possible  with  DDDs.  Furthermore, 
note  that  the  memory  problems  we  face  arise  from  our  use  of  BDDs,  while  the  techniques  we  have 
presented  in  this  paper  can  make  use  of  any  representation  of  Boolean  functions.  In  particular, 
we  are  starting  to  work  on  a  SAT-based  implementation  of  our  method;  such  an  implementation 
might  better  handle  the  growth  in  the  number  of  Boolean  variables.  Finally,  we  are  also  explor¬ 
ing  heuristics  for  automatically  generating  good  BDD  variable  orderings,  such  as  those  based  on 
compositional  methods  [7] . 
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